b'REVIEW OF ALLEGATIONS CONCERNING\n  HOW THE LOAN MANAGEMENT AND\nACCOUNTING SYSTEM MODERNIZATION\n    PROJECT IS BEING MANAGED\n\n             Report Number: 9-17\n           Date Issued: July 30, 2009\n\n\n\n\n                 Prepared by the\n           Office of Inspector General\n       U.S. Small Business Administration\n\x0c            U.S. Small Business Administration\n            Office Inspector General              Memorandum\n    To:    Eric R. Zarnikow                                         Date:   July 30, 2009\n           Associate Administrator for Capital Access\n\n            Christine Rider\n            Chief Information Officer\n           /s/ Original Signed\n  From:     Debra S. Ritt\n            Assistant Inspector General for Auditing\nSubject:   Final Report on the Review of Allegations Concerning How the Loan\n           Management and Accounting System Modernization Project is Being Managed\n           Report No. 9-17\n\n            This report presents the results of our review of allegations regarding the Small\n            Business Administration\xe2\x80\x99s (SBA) management of the Loan Management and\n            Accounting System (LMAS) Modernization Project. LMAS, which will receive\n            supplemental funding from the American Reinvestment and Recovery Act, is\n            integral to SBA\xe2\x80\x99s strategy for improving, streamlining and automating information\n            technology systems related to lender processes and lender oversight.\n\n            The project was initiated in November 2005 to integrate the Agency\xe2\x80\x99s loan\n            monitoring and financial management systems and to move them to a new\n            operating platform. The project also included the modernization of all the loan\n            system components\xe2\x80\x94from the core loan functions to the 19 subsystems associated\n            with loan processing and servicing operations.\n\n            In December 2008, the Office of Inspector General received a complaint primarily\n            alleging that (1) because the Quality Assurance (QA) process established for the\n            project was not independent from the project management staff, issues identified\n            by the Quality Assurance/Independent Verification and Validation (QA/IV&V)\n            contractor were not being reported to senior management; (2) a defined process for\n            accepting contract deliverables had not been established; (3) deliverables for one\n            of the contracts were behind schedule; (4) contractor employees participated in\n            meetings without being cleared or trained on information security procedures; and\n            (5) the risk management process established for the project was immature. The\n            complaint also made other minor allegations involving desktop security and events\n\x0c                                                                                                                          2\n\n\nthat had not yet occurred or were outside the scope of the LMAS project. Our\nreview of the complaint focused on only the five major issues outlined above.\n\nTo determine whether the QA process was independent from project management\nstaff, we examined SBA\xe2\x80\x99s files for the three LMAS blanket purchase agreements\n(QA/IV&V, project management, and systems integration) to identify the project\nreporting structure and assess compliance with SBA\xe2\x80\x99s Systems Development\nMethodology (SDM) requirements for QA. We also evaluated actions taken by\nSBA to implement our prior audit recommendations that an independent project-\nlevel QA process be established and that an enterprise-wide QA function be\nimplemented.1 We assessed whether project issues identified by the QA/IV&V\ncontractor were being reported to senior management by comparing contractor\nfindings of deficiencies with those noted on the project\xe2\x80\x99s risk register2 and project\nplans,3 and through discussions with program management and the Chief\nInformation Officer (CIO).\n\nTo determine whether a process had been established for accepting contract\ndeliverables, we compared the deliverable review process established for the\nLMAS project with requirements established in the SDM and with the contractor\xe2\x80\x99s\nSDM criteria. To assess the timeliness of contract deliverables, we interviewed\nthe Program and Project Managers and compared due dates on multiple project\nplans. To determine whether contractor staff participated on the project before\nbeing cleared, we: reviewed SBA\xe2\x80\x99s clearance policies; identified contract\nemployees from project documentation; obtained information on the meetings they\nattended and tasks they were assigned; and determined whether they had the\nrequired clearance forms.\n\nTo determine the maturity of LMAS risk management, we compared LMAS risk\nmanagement practices with those established in the Risk Management Plan for the\nproject and the Office Management and Budget\xe2\x80\x99s (OMB) Capital Planning Guide.4\nWe also obtained information from contract procurement officials, the Office of\nthe Chief Information Officer (OCIO), and LMAS project officials. We\nperformed our review between September 2008 and April 2009 in accordance with\nChapter 6 of the Government Auditing Standards prescribed by the Comptroller\nGeneral of the United States.\n\n\n\n1\n    Recommendations No. 4; OIG Report No. 08-13, Planning for the Loan Management and Accounting System\n    Modernization and Development Effort, May 14, 2008.\n2\n    The risk register is an iterative document that summarizes all risks that may affect the project, their causes, and\n    potential responses.\n3\n    The Program Manager defined the project plans as \xe2\x80\x9cwork breakdown structures.\xe2\x80\x9d\n4\n    Supplement to OMB Circular A-11, Part 7: Planning, Budgeting and Acquisition of Capital Assets.\n\x0c                                                                                                            3\n\n\nBACKGROUND\n\nThe LMAS project is one in a series of attempts by SBA during the past several\nyears to upgrade existing financial software and application modules and to\nmigrate them off the mainframe environment. LMAS remained in the planning\nphase until September 2008 when SBA awarded three blanket purchase\nagreements to: (1) establish QA/IV&V monitoring and oversight ($5 million); (2)\nprovide project management support ($7.5 million); and (3) provide systems\nintegration services ($250 million). To-date, three task orders have been issued\nfrom the third blanket purchase agreement to:\n\n           \xe2\x80\xa2 migrate the existing Joint Administrative Accounting Management\n             System (JAAMS) application to a new hosting site;\n           \xe2\x80\xa2 provide a proof of concept pilot; and\n           \xe2\x80\xa2 develop a road map for the LMAS project.\n\nTo oversee the project, SBA established the LMAS Project Steering Council,\nwhich is comprised of senior management officials that meet weekly to evaluate\nthe project status and provide direction. The Council members include the CIO,\nActing Chief Financial Officer (CFO), the Senior Advisor for Policy and Planning,\nthe Consultant to the Administrator, the Associate and Deputy Associate\nAdministrators for the Office of Capital Access (OCA), the Acting and Deputy\nAssociate Administrators for Disaster Assistance, the Directors for Financial\nAssistance and Financial Systems and LMAS, and the Supervisory Financial\nAnalyst for Financial Assistance. OCA is the project sponsor and the day-to-day\nmanagement of the project is the responsibility of the Program Manager, who\nreports to the CFO.\n\nThe OIG has issued two reports on the LMAS project since it was first conceived\nin 2005. In September 2005 the OIG reported that even though the Loan\nAccounting System (LAS) posed a substantial risk, SBA had not yet adopted and\nimplemented a definitive migration strategy or replacement approach.5 In May\n2008 an OIG audit of the planning process for LMAS found that costly mainframe\ncontracts had to be renewed because migration of the system was delayed. The\nAgency also had not established either an enterprise-wide or project-level QA\nfunction to ensure that LMAS project deliverables met SBA\xe2\x80\x99s requirements and\nquality standards, as required by the Agency\xe2\x80\x99s SDM policy.6 This policy requires\nthat an enterprise QA function, which is independent of SBA projects and\nprograms, be established to ensure that IT projects adhere to Agency quality\n\n5\n    OIG Report No. 05-29, SBA Needs to Implement a Viable Solution to Its Loan Accounting System Migration\n    Problem, September 30, 2005\n6\n    OIG Report No. 8-13, Planning for the Loan Management and Accounting System Modernization and Development\n    Effort, May 14, 2008.\n\x0c                                                                                 4\n\n\nstandards and procedures throughout the systems development and maintenance\nprocess. These standards are outlined in the OCIO\xe2\x80\x99s Enterprise Quality Assurance\nPlan.\n\nThe enterprise QA function also enables the OCIO to meet its mandate under the\nClinger-Cohen Act to provide independent assurance that systems development,\ntesting, and configuration management efforts are aligned with SBA\xe2\x80\x99s IT\narchitecture and quality standards. Additionally, project managers are responsible\nfor implementing a project-specific QA program built on the standards established\nin the Enterprise Quality Assurance Plan.\n\nAfter the May 2008 OIG report, which recommended outsourcing the project-level\nQA function, the LMAS Program Manager contracted with the IV&V contractor\nto provide project-level QA and closed the recommendation.\n\n\nRESULTS IN BRIEF\n\nOur review confirmed that the project-level QA process was not independent from\nproject management staff; a process had not been established for accepting\ncontract deliverables until January 2009; several deliverables were behind\nschedule; contractors participated in meetings and were assigned tasks without\nbeing cleared or trained on SBA security procedures, and the project\xe2\x80\x99s risk\nmanagement process was immature. We did not, however, find that the Program\nManager filtered problems identified by the QA/IV&V contractor. More\nspecifically, we found that:\n\n       \xe2\x80\xa2 An independent QA function had not been established for the LMAS\n         project, as we previously recommended. While a contractor had been\n         hired to evaluate and monitor compliance with quality standards, the\n         contractor reported to the Program Manager, which did not provide the\n         level of independence called for by the Agency\xe2\x80\x99s SDM. The CIO also\n         had not designated an independent QA Manager for the project.\n         Because the Program Manager functioned as the QA Manager, he was\n         in a position to determine which problems identified by the QA/IV&V\n         contractor would be reported to senior management. However, we\n         found no evidence to suggest that he withheld issues from senior\n         management. We also determined that the CIO had not established an\n         enterprise-wide QA function as previously recommended.\n\n       \xe2\x80\xa2 The project lacked a defined process for accepting deliverables until\n         months after task orders were awarded. A process was later defined in\n         January 2009, which differed from the process suggested by the\n\x0c                                                                                                                  5\n\n\n                 Agency\xe2\x80\x99s SDM policy. For example, it did not identify documents to\n                 be reviewed, review methods, associated review time frames, or\n                 officials that would be responsible for reviewing deliverables.\n\n             \xe2\x80\xa2 Deliverables associated with task orders from the systems integration\n               blanket purchase agreement were past due, which may impact timely\n               project completion. For example, the completion date for the\n               Integrated Baseline Review (IBR) under Systems Integration Task\n               Order 1 slipped three months from December 11, 2008 to March 12,\n               2009. The extension of the IBR due date was improper because SBA\xe2\x80\x99s\n               Earned Value Management (EVM) policy requires that it be performed\n               prior to contract initiation to establish cost, schedule, and performance\n               goals. The March 31, 2009, completion date for the migration of\n               JAAMS under Task Order 1 was also not met.\n\n             \xe2\x80\xa2 Seventeen of 45 contractor employees started on the project before\n               completing SBA\xe2\x80\x99s clearance process, some of whom worked on the\n               project for more than 45 days before completing the clearance process\n               or receiving the required computer security awareness training. These\n               employees attended meetings, and according to the LMAS Action Items\n               List, 10 were assigned action items. The Program Manager believed\n               that the employees were merely attending high-level meetings, which\n               did not require vetting through SBA\xe2\x80\x99s clearance process.\n\n             \xe2\x80\xa2 The LMAS risk register did not contain all of the information\n               recommended by OMB\xe2\x80\x99s Capital Programming Guide7 and the LMAS\n               Risk Management Plan, such as risk ratings and plans for mitigating\n               some of the identified risks. Without a complete risk register that\n               identifies how project staff will respond to specific risks, the success of\n               the LMAS project could be affected.\n\nTo address these issues, we recommended that the LMAS contract be amended to\nrequire that the QA/IV&V contractor report to the Program Manager and that an\nindependent QA Manager be designated by the CIO. We also recommended that a\nwell-defined process be established for accepting LMAS deliverables, contractor\nemployees not be allowed to work on LMAS until they have been properly vetted\nin accordance with SBA policies and procedures, and that the LMAS risk register\nbe revised to include all fields identified in the LMAS Risk Management Plan and\nkey information that is currently missing in the risk register. Finally, we\n\n\n7\n    Supplement to Office of Management and Budget Circular A-11, Part 7: Planning, Budgeting and Acquisition of\n    Capital Assets.\n\x0c                                                                                6\n\n\nrecommended that the CIO establish an enterprise-wide QA function to ensure that\nall IT projects comply with Agency quality standards.\nManagement\xe2\x80\x99s response generally disagreed with the audit results. We believe\nmanagement\xe2\x80\x99s views were primarily those of the Program Manager, who was the\nsubject of the allegations. We provided the Program Manager additional time to\naddress the audit findings before issuing the draft report. However, the Program\nManager was not able to provide adequate evidence supporting his disagreements\non the audit findings. The Program Manager\xe2\x80\x99s views have been incorporated and\nevaluated within the body of the report. Further, while management agreed to take\naction on all of the recommendations, we found that the actions proposed in\nresponse to Recommendations 1, 2, 3, 5, and 7 were not sufficient to fully address\nthe related findings. These actions largely do not comply with established IT\ngovernance protocols, such as the Agency\xe2\x80\x99s SDM, or are contrary to Agency\npolicy.\n\nFinally, we are particularly concerned that the CIO has chosen not to immediately\nestablish a QA oversight function as a vehicle for assessing and improving IT\nprojects, plans to provide only a \xe2\x80\x9chigh level\xe2\x80\x9d Quality Manager for the LMAS\nproject, and has not specified when the LMAS Quality Manager will be\ndesignated.\n\nRESULTS\n\nThe Project-Level QA Function for LMAS Was Not Independent from\nProject Management\n\nThe complaint alleged that the QA process for monitoring LMAS performance\nwas not independent from the Program Manager and that not all issues identified\nby the QA contractor were being reported to senior management. The SDM states\nthat the project-level QA function should have a reporting channel to senior\nmanagement from a QA Manager that is independent of project line management.\nThis requirement, which the CIO confirmed applied to LMAS, was communicated\nto Agency staff through SBA Procedural Notice 9000-1596, issued on November\n9, 2005.\n\nHowever, we found that the QA/IV&V contract required the contractor to report\nexclusively to the Program Manager and the Contracting Officer\xe2\x80\x99s Technical\nRepresentative (COTR), who reports to the Program Manager. The CIO was\nunaware that the QA/IV&V contractor reported exclusively to the Program\nManager and COTR. She also had not designated a QA Manager for the LMAS\nproject to ensure that the project-level QA function was independent from the\nProgram Manager. Although the CIO had been made aware of these findings in\nDecember 2008, as of May 8, 2009, a QA Manager still had not been designated\n\x0c                                                                                  7\n\n\nfor LMAS. Having a QA process that functions independently from LMAS\nproject management provides assurance that quality and performance issues will\nbe accurately and completely reported to senior SBA managers.\n\nFurther, although the Program Manager was in a position to determine which\nproblems identified by the QA/IV&V contractor would be reported to senior\nmanagement, we found no evidence that he withheld significant LMAS problems\nor risks from senior managers.\n\nFinally, we followed up on our previous recommendation that the CIO implement\nan enterprise-wide QA function needed to fulfill her oversight responsibilities for\ninformation technology investments under the Clinger-Cohen Act. Although in\nMay 2008 the CIO agreed to implement the recommendation, as of July 30, 2009,\nan enterprise-wide QA function had not been established.\n\nA Well-Defined Process for Accepting Contract Deliverables Had Not Been\nEstablished\n\nThe complaint alleged that the project lacked a well-defined process for submittal,\nreview, and approval of project deliverables. Further, the complaint alleged that\nthe delivery of services was subject to the personal interpretations of the Program\nManager instead of solid SBA policies and procedures to guarantee that the best\nwork products possible were generated. The Agency\xe2\x80\x99s SDM requires that a\ndefined process be established for accepting deliverables and suggests that the\nprocess should:\n\n      \xe2\x80\xa2 Identify documents to be reviewed, the method of review, and associated\n        review time frames;\n\n      \xe2\x80\xa2 Specify the types of reviews to be performed;\n\n      \xe2\x80\xa2 Designate a review team within the Agency that includes individuals\n        who are responsible for application development, project management,\n        configuration management, and QA to identify defects and ensure a final\n        quality product; and\n\n      \xe2\x80\xa2 Ensure that the Project Manager and QA Manager approve deliverables.\n\nWe found that a process for accepting deliverables was not established until\nJanuary 29, 2009, after some deliverables were rejected, including the LMAS QA\nPlan. Further, the LMAS process did not fully follow the process suggested by the\nSDM requirements because it left to the Project Manager\xe2\x80\x99s discretion what\ndocuments would be reviewed, the type of review to be performed, and the\n\x0c                                                                                     8\n\n\ncomposition of the review team. As a result, there was limited assurance that all\ndeliverables would be reviewed and whether reviews would be made by the\nappropriate parties.\n\nThe Program Manager told us that the LMAS team found no evidence of an\nestablished, documented deliverable management process in existence at SBA.\nTherefore, one had to be created specifically for LMAS, which is why the process\nwas not established sooner. He also believed that the LMAS deliverable process\nimplemented complies with the intent of the process suggested by the SDM.\nFurther, he told us that the LMAS solution provider (SRA) was using its own\nsystems development methodology, called ELITE, which was fully compliant with\nindustry standards established by the Software Engineering Institute.\n\nIn January 2009, the Program Manager presented to the CIO the solution\nprovider\xe2\x80\x99s mapping of its proprietary ELITE methodology to SBA\xe2\x80\x99s SDM to show\nthat the LMAS project was being managed in accordance with Agency policy for\nsystems development projects. In a May 2009 meeting, the CIO told the OIG that\nshe had approved of SRA\xe2\x80\x99s approach and was satisfied that the Program Manager\nwas complying with Agency QA requirements.\n\nWe examined the mapping document that the Program Manager provided to the\nCIO and concluded that it did not provide sufficient detail for the CIO to make a\ndetermination about whether the deliverables acceptance process used by the\ncontractor clearly defined the types of reviews to be performed of deliverables or\nthat the appropriate reviewing parties had been identified. For this reason, we do\nnot believe that there is adequate assurance that the LMAS project has a well-\ndefined process for accepting deliverables. Further, the LMAS Project Manager\nhas sole authority to determine what deliverables get reviewed, who is\naccountable, and the basis for acceptance.\n\nContractor Deliverables Were Behind Schedule\n\n\nThe complaint alleged that the prime contractor was behind schedule in providing\ndeliverables on the integration services blanket purchase agreement, and that there\nwas no action plan to address the delays. Based on our interview with the\nProgram Manager and a review of the work breakdown structures, we determined\nthat the prime contractor missed multiple deliverable due dates for task orders.\n\nOne delay involved a 3-month extension of the due date for the IBR from Task\nOrder 1, which was originally scheduled for completion on December 11, 2008.\nThe IBR is a structured review process involving all relevant SBA stakeholders\nand the contractor to obtain agreement on project schedule, cost, and performance\n\x0c                                                                                                                   9\n\n\nmetrics and to identify risks associated with the project plan. The revised IBR\ncompletion date in a March project plan was listed as March 12, 2009. This\nextension, which occurred after contract initiation, was contrary to SBA\xe2\x80\x99s Agency\nEarned Value Management Policy8 that states:\n\n         \xe2\x80\x9cPer OMB Memorandum M-05-23 and Agency earned value management\n         policy, integrated baseline reviews will be performed prior to contract\n         initiation\xe2\x80\xa6\xe2\x80\x9d and\n\n         \xe2\x80\x9c\xe2\x80\xa6it is mandatory that all major investments (investments that cost\n         $200,000 or more in a single year, or $500,000 or more in 3 years, and all\n         projects deemed to be of high visibility by the Business Technology\n         Investment Counsel) use the EVMS.\xe2\x80\x9d9\n\nThe Program Manager acknowledged that the IBR should have been performed\nearlier in the process and stated that it will be for future task orders. Further, he\nacknowledged that the March 31, 2009, completion date for the migration of\nJAAMS under Task Order 1 was also not met. The migration was delayed 3\nweeks, and JAAMS did not become operational at the new site until April 20,\n2009. The Program Manager attributed the late deliverables to extreme delays in\ngetting the contractor\xe2\x80\x99s security background checks completed, and hardware\nfailures. However, we confirmed that the length of the security clearance process\nwas not unusual and should have been factored into the milestones established for\nthe task order.\n\nIn addition, the baseline schedule for deliverables has been revised multiple times,\ngiving the misleading appearance that the contract is on schedule even though\noriginal deliverable dates were not met. Per discussions with the Program and\nProject Managers, the deliverable tracking process established for LMAS was\nbased on the project plans, which are updated periodically with modified\ndeliverable due dates. Since LMAS project management did not conduct an initial\nIBR to establish performance, schedule and cost baselines, the Agency will not be\nable to accurately measure performance, which is necessary for meaningful\nEarned Value Management reporting.\n\n\nContractor Employees Attended Meetings without Required Security Vetting\n\n\n\n8\n   Earned Value Management is a project measurement technique that relates resource planning to technical, cost, and\n   schedule requirements. All work is planned, budgeted, and scheduled in time-phased \xe2\x80\x9cplanned value\xe2\x80\x9d increments,\n   constituting a cost and schedule measurement baseline.\n9\n  SBA Earned Value Management System Policy for Information Technology (IT) Projects, December 2005.\n\x0c                                                                                                                       10\n\n\nThe complaint alleged that contractors were present in planning and other\nmeetings prior to meeting SBA requirements for background investigation and\nsecurity clearance and had not completed security training requirements.\nConsequently, the complaint alleged that contractors waiting for clearances were\nprivy to other contractor work plans, which could result in an unfair competitive\nadvantage and legal action.\n\nSBA Procedural Notice 9000-1684, SBA Form 1228 Process, requires that\ncontractors receive a favorable preliminary background check prior to entering on\nduty. In addition, the LMAS systems integration task order states that the\ncontractor is responsible for having its employees working under the task order\nexecute all certifications required by SBA prior to beginning work. SBA requires\nthat SBA Form 1228, Computer Access Clearance/Security Form, be used to\ninitiate and document the security clearance process for new contractor\nemployees.10\n\nBased on our review of LMAS project meeting minutes and the LMAS Action\nItems List, we found that 17 of the 45 contractors on the LMAS project from\nNovember 12, 2008 to February 13, 2009, participated in the project before their\nbackground investigations were completed. These contractors attended meetings,\nsuch as the 7(a) Regular Loan Accounting Events Session and Conference Room\nPilot meeting, and/or were assigned action items for the LMAS project prior to\nmeeting SBA\xe2\x80\x99s background investigation and security clearance requirements.\n\nAdditionally, as of February 13, 2009, 17 (including 2 who also started work\nbefore completing background investigations) of 45 contractors had not completed\ntheir Computer Security Awareness training within 45 days, as required by the\nAgency\xe2\x80\x99s Standard Operating Procedure. Allowing contractor employees to work\non the project before they have been properly vetted for security exposes sensitive\nSBA information to loss, or misuse.\n\nThe Program Manager acknowledged that contractors started work on the project\nprior to being cleared, but believed that it was ok to do so as the contractors were\nnot given access to sensitive SBA information. He believed that SBA procedures\nrequired security clearances to be completed prior to granting access to SBA\nsystems or data. The Program Manager contended that 16 of the unvetted\ncontractors worked on LMAS Task Order 2 without access to sensitive systems or\ndata, and that the contract lead worked offsite on refining the project plan, which\nwas not sensitive.\n\n10\n     SOP 90 47 2, Automated Information System Security Program, classifies all SBA data as sensitive and requires all\n     contractor personnel to undergo background investigations. In addition, contractor personnel occupying positions\n     designated as critical-sensitive cannot be given access to sensitive data until an appropriate security clearance has\n     been granted.\n\x0c                                                                                    11\n\n\nRisk Tracking Process Was Not Sufficiently Developed\n\n\nThe complaint alleged that the LMAS risk management process was immature. In\norder to manage IT acquisition performance goals, OMB published the Capital\nProgramming Guide, which recommends that agencies track project risks in a risk\nregister. The register should, at a minimum, indicate the risk priority, rating,\nresponse strategy, and status. To implement the OMB guidance for the LMAS\nproject, SBA created a risk register for the project.\n\nThe risk register; however, did not contain complete information on all identified\nrisks, such as the dates that risks were identified, residual risk, contingency plans\nwhere risks cannot be resolved, and risk ownership. Due to the incomplete\ncapture of risk information, SBA may not be able to properly respond to\nunplanned incidents or to remediate project risks which may contribute to cost\noverruns, schedule shortfalls, and the system\xe2\x80\x99s inability to perform as expected.\nWe reviewed our findings with the Program and Project Managers and provided\nthem with the relevant OMB guidance.\n\nRECOMMENDATIONS\n\nWe recommend that the LMAS Program Sponsor, the Associate Administrator for\nCapital Access:\n\n   1. Take steps to modify the contract to require the QA/IV&V contractor to\n      report all findings and recommendations to the Program Manager and an\n      independent QA manager designated by the CIO.\n\n   2. Establish a process for reviewing and accepting LMAS deliverables that\n      complies with SDM requirements.\n\n   3. Ensure contractor employees work on LMAS only after their SBA Form\n      1228 Computer Access Clearance/Security Form has been signed and that\n      they receive computer security awareness training as required.\n\n   4. Consider revising the risk register to include all fields identified in the\n      LMAS Risk Management Plan and complete all missing information in the\n      risk register such as due dates, mitigation plans and risk owners.\n\nWe also recommend that the CIO:\n\x0c                                                                               12\n\n\n   5. Designate a QA Manager for the LMAS project to ensure that the project-\n      level QA function is independent from the project.\n\n   6. Immediately establish an enterprise-wide QA function that is compliant\n      with SBA\xe2\x80\x99s SDM QA policy.\n\n   7. Take steps to ensure that a well-defined deliverable acceptance process is\n      established for the LMAS project in accordance with SBA\xe2\x80\x99s Enterprise\n      Quality Assurance Plan.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nOn June 12, 2009, we provided a draft of this report to SBA for comment, and on\nJuly 22, 2009, we received consolidated comments from the Associate\nAdministrator for Capital Access, Chief Information Officer, and the Director,\nOffice of Financial Systems who serves as the Program Manager for LMAS.\nThese comments are contained in their entirety in Appendix I.\n\nManagement generally disagreed with the audit results, but agreed to take action\non all of the recommendations. We are concerned that the views expressed on the\naudit findings are primarily those of the Program Manager, who was the subject of\nthe allegations. Because the Program Manager\xe2\x80\x99s views have already been\nincorporated and evaluated within the body of the report, we are not repeating his\ncomments to the audit findings here.\n\nWhile the respondents agreed to take action on all of the recommendations, we\nfound that the actions proposed in response to Recommendations 1, 2, 3, 5, and 7\nwere not sufficient to fully address the related findings. These actions do not\ncomply with established IT governance protocols; such as the SDM, which are\ndesigned to mitigate risk and achieve project objectives.\n\nWe are particularly concerned that the CIO has chosen not to immediately\nestablish a QA oversight function as a vehicle for assessing and improving IT\nprojects, plans to provide only a \xe2\x80\x9chigh level\xe2\x80\x9d Quality Manager for the LMAS\nproject, and has not specified when the LMAS Quality Manager will be\ndesignated. Furthermore, several of the responses attempt to modify existing SBA\npolicy. We suggest any such changes be initiated through SBA\xe2\x80\x99s Clearance\nProcedures as outlined in SOP 00 23 6. As the Agency undertakes subsequent\nphases of LMAS and additional development projects, it will be critical that the\nOCIO provide proper oversight to ensure its standards and procedures are\nfollowed throughout the project development cycle.\n\x0c                                                                                  13\n\n\n\nWe recognize the actions taken by SBA to address some of the issues that the\naudit team brought to their attention and look forward to resolution of all findings\nand implementation of all recommendations.\n\nRecommendation 1\n\nManagement\xe2\x80\x99s Comments\n\nManagement has directed the QA contractor to simultaneously provide all reports\nto the Program Manager and OCIO\xe2\x80\x99s acting enterprise-level QA Manager to\nensure that the QA process is independent from the project management staff.\n\nOIG Response\n\nManagement\xe2\x80\x99s response is partially responsive to the recommendation. The\ncontract terms limit communications solely to the Program Manager and COTR.\nTherefore, we believe modification is necessary. Modifying the contract to\nrequire the QA/IV&V contractor to report to the Program Manager and the CIO\xe2\x80\x99s\ndesignated QA Manager will promote the independence and impartiality of the\nproject\xe2\x80\x99s QA decision-making.\n\nRecommendation 2\n\nManagement\xe2\x80\x99s Comments\n\nManagement stated that the LMAS process for reviewing and accepting\ndeliverables goes far beyond the SDM requirements. The LMAS team has created\na well-defined deliverable review and approval process that exceeds the Agency\xe2\x80\x99s\ngoals as stated in the SDM. However, the LMAS team will continue to review the\nsuggestions documented in the Enterprise Quality Assurance Plan, evaluate the\nbenefits and adopt the suggestions that will further improve the program\xe2\x80\x99s\ndeliverable management process.\n\nOIG Response\n\nAt the time of the complaint, there was no LMAS deliverable review process. In\nJanuary, 2009 the LMAS project team implemented a deliverable review process.\nHowever, it did not contain key elements of SDM\xe2\x80\x99s Enterprise Quality Assurance\nPlan. This plan requires that a defined process be established for accepting\ndeliverables and outlines oversight responsibilities between OCIO and the project\nteam to monitor compliance with SBA systems standards. At the present time the\n\x0c                                                                                14\n\n\nLMAS Project Manager has sole discretion to approve contract deliverables.\nAlthough management stated that it would evaluate and adopt suggestions to\nimprove the project\xe2\x80\x99s deliverable management process, it did not specify the steps\nit would take to make the current process compliant with the current oversight\nrequirements of the SDM. Therefore, we do not consider management\xe2\x80\x99s\ncomments to be fully responsive to the recommendation.\n\nRecommendation 3\n\nManagement\xe2\x80\x99s Comments\n\nManagement stated that it will continue to ensure that contractor employees who\nwork at SBA office space or who need access to sensitive SBA systems or data\nwill be granted access only after the Form 1228 has been signed. The LMAS team\nwill ensure that these contractor employees complete required training. However,\nthe LMAS team stated that it will not require background investigations and\nclearances for those contractor employees who have short-term assignments that\ndo not access SBA systems or data.\n\nOIG Response\n\nManagement\xe2\x80\x99s response does not describe the process it will employ to ensure that\ncontractor employees will not have access to sensitive SBA data unless they have\nmet SBA\xe2\x80\x99s contractor clearance requirements. Management\xe2\x80\x99s decision to not\nrequire background investigations for short-term contractor employees is also\ncontrary to SBA policy; and therefore, would require an exemption from policy.\nFurther, as all SBA data is classified as sensitive, it is questionable that a\ncontractor employee could work on the LMAS project for as long as 6 months\nwithout exposure to any SBA data, including loan data. If SBA proposes a\nprocess that will ensure that certain contractor employees do not have access to\nSBA data, which is approved by the CIO, then we would consider the response to\nbe sufficient to reach management decision. However, as currently stated,\nmanagement\xe2\x80\x99s comments are not responsive to the recommendation.\n\nRecommendation 4\n\nManagement\xe2\x80\x99s Comments\n\nManagement stated that the LMAS team has published a detailed Risk\nManagement Plan that contains the same fields as those in the Risk Register.\nSBA believes the recommendation to complete all missing information in the Risk\n\x0c                                                                                 15\n\n\nRegister is not cost effective or reasonable and is not based on fixing any\nperceived gap in the LMAS management.\n\nOIG Response\n\nWe found management\xe2\x80\x99s comments to fulfill the intent of our recommendation,\nand therefore, it is responsive.\n\nRecommendation 5\n\nManagement\xe2\x80\x99s Comments\n\nManagement stated the CIO will designate a high-level QA Manager to fulfill the\nindependent review function. In the meantime, the CIO is providing oversight of\nLMAS from an enterprise-level QA standpoint.\n\nOIG Response\n\nWe do not consider management\xe2\x80\x99s comments to be fully responsive to the\nrecommendation because it has not specified a target date for appointing an\nindependent project-level QA manager. Further, the breadth of duties of the\nindependent project-level QA Manager as described in the SDM and Enterprise\nQuality Assurance Plan require sustained and in-depth involvement. It is not clear\nwhether the proposed \xe2\x80\x9chigh-level\xe2\x80\x9d QA Manager or CIO could devote the amount\nof time that would be required of the project-level QA Manager described in the\nSDM.\n\nRecommendation 6\n\nManagement\xe2\x80\x99s Comments\n\nManagement stated that an enterprise QA framework and staffing requirements\nhave been drafted and are under review with an expected finalization date of\nOctober 30, 2009. The QA function will oversee all IT investments, including\nLMAS.\n\nOIG Response\n\nThe OIG believes that the full implementation of the QA framework, as well as\nstaffing, to fulfill this role by October 30, 2009 is responsive. However, we note\nSBA has had an Enterprise Quality Assurance Plan since April 2004. This need\n\x0c                                                                                                   16\n\n\nwas also addressed in a prior OIG recommendation, which is past due for\nimplementation.11\n\nRecommendation 7\n\nManagement\xe2\x80\x99s Comments\n\nManagement stated that the LMAS process for reviewing and accepting\ndeliverables goes far beyond SBA\xe2\x80\x99s SDM requirements. However, SBA will\ncontinue to review the LMAS Deliverable Management Process and incorporate\nchanges to further improve this process.\n\nOIG Response\n\nSBA\xe2\x80\x99s Enterprise Quality Assurance Plan requires the OCIO Quality Manager\nand Project Manager to jointly plan and oversee key deliverables, and establishes a\nvehicle for the OCIO to ensure enterprise standards are maintained in critical\nproject control areas, such as IBRs, security reviews and testing. However,\ncurrently the LMAS Project Manager has sole discretion to approve contract\ndeliverables, and the OCIO has not ensured a QA plan that conforms to the\nEnterprise Quality Assurance Plan has been developed and implemented.\nTherefore, management\xe2\x80\x99s response has not adequately addressed the\nrecommendation.\n\nACTIONS REQUIRED\n\nBecause your comments did not fully address Recommendations 1, 2, 3, 5, and 7,\nwe request that you provide a written response by August 14, 2009, providing\nproposed actions and target dates for implementing the recommendations.\n\nWe appreciate the courtesies and cooperation of the OCIO and LMAS project staff\nduring this audit. If you have any questions concerning this report, please call me\nat (202) 205-[FOIA ex. 2] or Jeffrey Brindle, Director, Information Technology &\nFinancial Management Group, at (202) 205-[FOIA ex. 2].\n\n\n\n\n11\n     Recommendation No. 4; OIG Report No. 08-13, Planning for the Loan Management and Accounting System\n     Modernization and Development Effort, May 14, 2008.\n\x0cAPPENDIX I.\n\x0c\x0c3\n\x0c4\n\x0c5\n\x0c6\n\x0c7\n\x0c8\n\x0c9\n\x0c10\n\x0c'